Behind Rosentein’s encryption fight, just as Texas dispute heats up

By

11/09/2017 10:00 AM EST

With help from Cory Bennett, Eric Geller and Martin Matishak

ROSENSTEIN TAKES ENCRYPTION LEAD AS TEXAS DISPUTE BREWS — The government has gotten an unexpected leader in its battle to get access to encrypted devices just as a new fight is brewing over the locked iPhone of the gunman who killed 26 people in a Texas church. Rod Rosenstein, the Justice Department’s No. 2 official, “has emerged as a rhetorical leader on the issue in a series of speeches over the past few months,” Eric reports.

Story Continued Below

And his remarks have caught the attention of both the tech and law enforcement communities just as the two sides are preparing for another standoff in Texas. A U.S. official told POLITICO on Wednesday that encryption is blocking authorities from accessing the iPhone belonging to the Sutherland Springs, Texas, church shooter. Another person familiar with the matter said authorities didn’t contact Apple during the first few days it had the phone. In a statement Wednesday night, Apple said it had “immediately reached out to the FBI” after hearing about the iPhone in question. “We offered assistance and said we would expedite our response to any legal process they send us.” Whether the two sides actually end up in court remains to be seen.

Eric sat down with Rosenstein last week to discuss the deputy attorney general’s reasoning for taking such a vocal stance on the topic, as well as his plans going forward. “I want our prosecutors to know that, if there’s a case where they believe they have an appropriate need for information, and there is a legal avenue to get it, they should not be reluctant to pursue it,” he said. DOJ could sue the next time a company refuses to fulfill a warrant for encrypted data, Rosenstein said. Rosenstein has seen the problem up close, in both his current role and during two cases when he was a U.S. attorney in Maryland and law enforcement had trouble obtaining encrypted data. “My experience in those cases made it clear to me just how serious this issue was for traditional law enforcement,” he told POLITICO. “Increasingly it’s impacting our attorneys in their routine criminal cases.”

The story also reveals that the National Security Council’s cyber team has met to come up with options for the president. Rosenstein wouldn’t comment on the meetings, but he said that “senior officials in the department and the administration recognize that this is a problem.” Tech companies and other encryption advocates insist that guaranteeing access to secured data makes everyone less safe. For the full story, read here. You can also read the full transcript of Eric’s interview with Rosenstein here.

HAPPY THURSDAY and welcome to Morning Cybersecurity! So many fun, young, growing players in the NBA right now. Who’s most fun? Greek Freak? Porzingod? Myles Turner? Nikola Jokic? Send your thoughts, feedback and especially tips to tstarks@politico.com and be sure to follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info below.

CYBER SUPERSTARS LOVE NIELSEN — More than 50 cybersecurity luminaries — most of them former high-ranking cyber officials in past Democratic and Republican administrations — endorsed President Donald Trump’s pick to lead the Homeland Security Department in a letter obtained by POLITICO. The letter states that DHS’s leading role within the federal government on cybersecurity, and nominee Kirstjen Nielsen’s work on cybersecurity in previous jobs such as at the George Washington University Center on Cyber and Homeland Security and the George W. Bush administration, make the pair an ideal match.

“This is a weighty responsibility, to be sure, and with the growing threat to our nation presented by increasingly aggressive nation-states targeting both our economic and political systems, as well as our national security infrastructure, and the increasing pace of attacks from criminal groups and hacktivists, we believe it is wise to put someone like Kirstjen, with cybersecurity experience in both the public and private sectors, in the leadership of the Department,” according to the letter.

Among the letter’s signatories are two recent heads of the NSA — Keith Alexander and Michael Hayden — as well as former White House cyber czar Michael Daniel and former State Department cyber coordinator Christopher Painter. A host of former DHS cyber officials, like Amit Yoran and Phil Reitinger, also signed the letter, as did former Director of National Intelligence Mike McConnell and a former attorney general, Mike Mukasey. The letter, sent to leaders of the Senate Homeland Security Committee, came on the same day Nielsen appeared before the panel and promised to focus on election security. The panel is scheduled to vote on her nomination today.

CYBER IN THE FINAL DEFENSE BILL — House and Senate negotiators on Wednesday unveiled their final fiscal 2018 defense policy bill (H.R. 2810), which includes several provisions focused on the digital domain. A summary of the measure indicates that lawmakers dropped a Senate proposal merging two of the Pentagon's top technology officers — chief information officer and chief management officer — into the new role of chief information warfare officer, who would have been responsible for both the Pentagon’s digital security and cyber warfare policy. Defense Secretary Jim Mattis knocked the idea in a so-called heartburn letter to Capitol Hill. Instead, the bill establishes the CMO as the No. 3 at DoD with an emphasis on the department’s business management practices.

The final legislation also dropped language crafted by Senate Armed Services Committee Chairman John McCain that would have established the country's first ever cyber warfare policy. The strategy would have dictated that the U.S. employ all tools of national power, including offensive digital weapons, to deter and respond to cyberattacks that aim to cause casualties, threaten infrastructure or disrupt normal business. The Trump administration — including Mattis in his letter — objected to the clause. The provision was converted into a requirement for the president to develop a “national policy for the United States relating to cyberspace, cybersecurity, and cyberwarfare, including the use of offensive cyber capabilities,” according to the summary.

The bill does prohibit the Pentagon from using software developed by Moscow-based Kaspersky Lab, bowing to concerns about the firm’s alleged connections to the Kremlin. Kaspersky has denied any inappropriate relationship.

Finally, the legislation features language designed to to help agencies upgrade their aging and insecure technology, according to an Armed Services Committee aide. The Modernizing Government Technology, or MGT Act (S. 990), would create a government-wide IT modernization fund to disburse money to individual agencies for upgrades and direct agency CIOs to establish their own modernization funds. Together, the cash infusion would be used to update IT systems and transition old systems to the cloud.

The House is expected to vote on the massive bill next week, with the Senate voting sometime after that.

FTC … ACTIVATE! — Democrats on Wednesday stumped for expanding the FTC’s authority to punish companies that fail to protect Americans’ private data. They made their pitch during a Senate Commerce Committee hearing that featured top executives from Equifax and Yahoo, which both disclosed historic data breaches in recent months. During the hearing, Equifax’s interim CEO and Yahoo’s former chief Marissa Mayer — who left the company when it was acquired by Verizon earlier this year — detailed a number of steps they had taken to overhaul their internal security and protect customers from future scammers. But Democrats appeared unimpressed, saying it would take government action to truly change the cybersecurity landscape.

“Only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information,” said Commerce Committee ranking member Bill Nelson. Currently, the FTC can, on a case-by-case basis, bring enforcement actions against companies with poor data security, but Nelson lamented that “this piecemeal, after-the-fact approach would be better served if the FTC were able to prescribe rules that require companies to adopt reasonable security practices in the first place.”

Sen. Richard Blumenthal agreed. “The Equifax breach, in particular, exposed the limits of the Federal Trade Commission’s ability to protect consumers and impose civil penalties on companies that treat our data with negligence and recklessness,” he said. “Under current law, even some of the most egregious examples of lax security can be met only with apologies and promises.” Blumenthal has been trying to give the FTC civil penalty authority with his Data Breach Accountability and Enforcement Act (S. 1900).

Sen. Tammy Baldwin also chastised Equifax for its recent report clearing top officials of insider trading when they sold nearly $2 million in company shares shortly after the company discovered the intrusion. “The report failed to mention that Equifax’s chief legal officer, John J. Kelley, approved some of the stock sales on the same day that he called the FBI to alert it that the company had a problem,” she said. “It took Mr. Kelley two more weeks to inform the executives that they were no longer allowed to sell stock.” Baldwin called the delay “totally inappropriate.” The company’s interim CEO, Paulino do Rego Barros Jr., told Baldwin he felt he wasn’t in a position to offer input on “whether it was appropriate or not.”

At other points during the hearing, Mayer conceded that Yahoo failed to initially realize that a 2013 data breach had compromised all 3 billion customer email accounts in part because the firm was never able to discover how the intrusion actually happened. Mayer also argued that even the most sophisticated cyber defenses can’t stop foreign government hackers from breaking in. DOJ in March indicted two Russian spies for a separate hack at Yahoo, which exposed 500 million customers’ information.

DO NOT GO GENTLE INTO THAT GOOD NIGHT — Even though the House Judiciary Committee easily approved its legislation to reauthorize controversial surveillance programs, civil liberty groups are promising to keep pushing for long-sought after reforms. Lawmakers voted, 28-7, to approve the USA Liberty Act (H.R. 3989) — which renews the spying efforts in Section 702 of the Foreign Intelligence Surveillance Act — but only after defeating a privacy advocate-preferred amendment that would have expanded a requirement that the FBI obtain a warrant before accessing the content of Americans’ communications swept up via 702 spying efforts.

The bill “risks codifying current illegal practices into law without adequate limits to protect Americans’ constitutional rights,” Neema Singh Guliani, the American Civil Liberties Union legislative counsel, said in a statement. “We urge Congress to remedy this problem as this bill advances,” she added. While the USA Liberty Act “contains a number of important reforms,” the bill’s warrant requirement exceptions “are so broad there is concern they could swallow the rule,” said Robyn Greene, the policy counsel and government affairs lead for the Open Technology Institute at the think tank New America. Members should focus on “expanding and strengthening the requirement that the government obtain a warrant before searching Section 702 data for Americans’ communications,” she said.

Meanwhile, the House bill picked up a key bipartisan pair of Senate supporters. “This bill is part of a promising, bipartisan effort to provide some long-overdue reforms to this surveillance authority,” Sens. Patrick Leahy and Mike Lee said in a joint statement. The remarks suggest a Section 702 bill (S. 2010) approved last month by the Senate Intelligence Committee could face opposition if it reaches the floor.

DON’T YOU FORGET ABOUT ME — The leaders of the House Foreign Affairs Committee want the Trump administration to keep them in the loop on its international cyber strategizing. In a Wednesday letter to Secretary of State Rex Tillerson, Committee Chairman Ed Royce and ranking member Eliot Engel said they wanted briefings on State’s contributions to two key parts of Trump’s cyber executive order. One section calls for options for deterring America’s digital adversaries, while the other will create a U.S. engagement strategy for international cyber cooperation. “It is our understanding that your recommendations will soon be transmitted to the White House,” the lawmakers wrote to Tillerson. “Accordingly, we look forward to an update from the appropriate Administration officials on these topics as soon as possible.”

Royce and Engel also asked for an update on State’s “cyber functions generally,” given Tillerson’s decision to close the office of America’s top cyber diplomat and merge its functions with the economic bureau. The committee leaders have introduced a bill that would recreate the office and appoint a high-level cyber ambassador. In their letter, the two lawmakers also urged Tillerson to publicly release State’s cyber strategy reports, noting that the Obama administration released a comparable document in 2011. “We are concerned that making a report on cyber deterrence entirely classified would undermine its purpose,” they wrote. “It is important for our adversaries to know that the United States is prepared to take strong and decisive actions against malicious cyber behavior.”

A WHOLE NEW WORLD — NATO is reorganizing how it responds to cyber threats and uses its members’ digital capabilities. On Wednesday, NATO defense ministers agreed to form a Cyber Operations Center as part of a broader overhaul of the military alliance’s organizational structure. “This will strengthen our cyber defences, and help integrate cyber into NATO planning and operations at all levels,” said NATO Secretary General Jens Stoltenberg after a meeting of defense ministers in Brussels.

The NATO officials, Stoltenberg said, also agreed that the alliance should “be able to integrate [members’] national cyber capabilities into NATO missions and operations,” just as it can coordinate the use of nations’ kinetic capabilities even as nations still control them. “We must be just as effective in the cyber domain as we are on land, at sea and in the air,” Stoltenberg told reporters.

TAX ALL, FOLKS — The FTC on Wednesday finalized an agreement with a tax preparation service that suffered a data breach affecting almost 9,000 users. The late 2015 data breach at the online service TaxSlayer gave hackers access to customers’ financial information, which they then used to obtain fraudulent tax refunds, according to the FTC’s complaint. The commission said in a statement that TaxSlayer “violated the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to implement safeguards to protect the security, confidentiality and integrity of customer information, and the Privacy Rule, which requires financial institutions to deliver privacy notices to customers.” TaxSlayer did not admit guilt in the settlement and will not have to pay a fee.

RECENTLY ON PRO CYBERSECURITY — “DOJ indicted a Pennsylvania man today for conspiring to hack people’s online trading accounts and use them in a short-selling scheme.” … Rep. Debbie Dingell introduced a bill to expedite security clearances for election officials to receive classified cyber threat data and require a paper record of all votes for auditing purposes.